Picture the banking Trojan Zeushiding in innocuous images — photos of your kids, a kitten, asunset — and that just may be the worst horror show imaginable.

And it may be coming to a computer near you.

That's the loud alert from security firm Trusteer, which hassounded an alarm about what it dubs ZeusVM.

And, said Trusteer fraud prevention expert Etay Maor, it allows cyber crooks to hide command and controlinstructions for Zeus malware in pictures that at first glance seemharmless. At second glance too: “the human eye does notdetect that the image has been altered,” Maor said.

Back up a step: Zeus — first identified in 2007 — quickly established itself asthe most pernicious banking malware ever. It is estimated to be onover three million Windows-based computers in the U.S. alone. It is not known to run on Apple operating systems, Linux or ChromeOS.

What it is does, much of the time, is absolutely nothing. Thatis key to its genius. It lies dormant until the infectedcomputer visits a targeted banking or credit union website and thenit hops into motion, downloading login credentials such as usernameand password. Later, those juicy details are transmitted to acriminal who busies himself looting that account.

Also ofInterest:

Threat Manager Claims 100% Flaws in Cyber Security

Threatof the Week: Has PCI Failed?

3Ways to Cut Card Losses

To thefinancial institution, it looks like the rightful owner has loggedin because the credentials are perfect.

Zeus divides into two parts. There's the actual malware code,usually installed when an unwitting victim clicks on an email linkthat purports to take him to a legitimate site, but there is adetour where a tiny chunk of evil code is installed.

The other part of Zeus is instructional sets, typicallyconstructed for particular banks or credit unions. These commandand control instructions tells the malware what to collect, fromwhich fields, when the victim visits specified banking sites.

Both parts are needed for Zeus to steal.

What is delivered in the images, said Jesper Jurcenoks, directorof research at security firm Critical Watch, is not the so-calledexecutable code — the actual Zeus malware Trojan — but theinstructional sets.

Since there is no executable it is even harder for securityscreening tools to tumble to the fact that the picture is bad.

Note, too, there is no need to download the infected image to avictim computer. If the image is on a website, just lookingat it in the browser is enough. The instructions will download toyour computer,” said Kevin Epstein, a vice president atcyber-security firm Proofpoint.

By the time your eyes have focused on the image, theinstructions are on your computer, said Epstein.

What makes ZeusVM important, said various security experts, isthat Zeus detection systems had been making progress in blockingdelivery of instructional sets because all revolve aroundparticular words such as “bank.”

With ZeusVM, the words are camouflaged in that innocuous image.That's why the image may let Zeus evade standard detectionscreens.

Worse news: this may be just the start of an avalanche of badimages and other, ever more devious strategies designed to hidetoxic payoffs, said Chad Davis, an expert in what is calledsteganography with Backbone Security.

Steganography, which goes back centuries, involves hidinginformation in plain sight and, said Davis, “most security systemsdon't look hard at images, which is why this can be soeffective.”

Imagine a credit union employee gets an email with a half dozenembedded pictures of a member's children. Now imagine thatthose pictures have ZeusVM hidden in them. The nightmare hitsfull speed if the employee's computer — maybe one at home — has adormant version of Zeus on it.

The additional uses of the technique boggle the mind.

“With steganography, you could hide thousands of credit cardnumbers in a single image. This would pass through almost alldata exfiltration screens,” Davis elaborated. “This is a bigthreat. There may be an infinite number of ways to hideinformation.”

His firm prediction: “You will see more and more sophisticatedattacks, using steganography.”

And that means existing security systems, generally uselessagainst the attack vector today, need to be tweaked, fast, beforethese kinds of picture-based and other camouflaged attacksmultiply.